Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2235
Views
0
Helpful
1
Replies

<<< No Message Collected >>> || esmtp inspection

alleycatcomp
Level 1
Level 1

‎02-01-2011 04:53 PM - edited ‎03-11-2019 12:43 PM

I just wanted to let everyone know of a solution to an smtp routing issues I was having today....

With Cisco ASA and esmtp inspection enabled with an Exchange 2003 server behind the ASA, I was having problems sending & receiving emails.

I am running 8.3.2 on an ASA 5510, however this should apply to the 7.x ios and other ASA models as well. It should also apply to all versions of Microsoft Exchange, 2003, 2007 & 2010.

Incoming emails were either being delayed or not be received.

Outgoing emails were either being delayed or not being sent.

The Exchange SMTP logs were showing:

For Incoming emails:

dsn=4.0.0, stat=Deferred: 451 Timeout waiting for client input

For outgoing emails:

421+4.4.2+mtain-dl02.r1000. <domain name here> +Error:+timeout+exceeded

In addition, a number of incoming emails were being received with the body stripped out, and replaced simply with:

<<< No Message Collected >>>

Very troubling....

Solution:

Solution is to do a 'no inspect esmtp' on the global_policy_map.

The esmtp inspection is the replacement for the notorious fixup on PIX devices.

Hoping this helps someone else...

Here's the code:

CiscoASA(config)# policy-map global_policy
CiscoASA(config-pmap)# class inspection_default
CiscoASA(config-pmap-c)# no inspect esmtp
CiscoASA(config-pmap-c)# exit
CiscoASA(config-pmap)# exit

Labels:
0 Helpful
1 Reply 1

voipesec1
Level 1
Level 1

‎02-07-2011 01:25 PM

esmtp inspection protects against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA. What you did, removes this functionality and lowers the security. When the inspection was enabled, did you look at the output of 'show service-policy' to see if there were any drops for esmtp inspection? If there were, you need to figure out what traffic is non compliant.

Admin,

Voipesec Network Solutions

http://www.voipesec.com

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card